On 30 October 2011 15:18, Scott Wilson <[email protected]> wrote: > As you may have noticed from WOOKIE-283 this turned out to be a far worse > problem than not getting some twitter updates. > > I don't know what the original UC was for including Base64 authz headers, so > I've just commented out all the code including them, and disabled the header > type from being passed by other means. >
I can confirm that this has solved the problem from the widget perspective. Thanks. > As its a critical security bug I suggest rolling this into the 0.9.1 release > and issuing an advisory rather than waiting for 0.9.2. > +1 Normally such security concerns would normally be dealt with on the private list until resolved. I suggest liaising with [email protected] for guidance. Ross > On 30 Oct 2011, at 14:21, Ross Gardler wrote: > >> On 29 October 2011 01:28, Ross Gardler <[email protected]> wrote: >>> Any idea why I'm being asked to login to wookie (via basic >>> authentication) to access a proxied URL. >>> >>> e.g. >>> http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false >>> >>> Accessing the URL directly in the browser presents no problem. >> >> I can now reproduce this reliably using the item detail template test >> widget or the browse template test widget: >> >> Preparation: >> >> - you need a fresh browser on which you have *not* logged into the >> admin console >> - deploy the template test widgets: cd widgets/templates; ant >> generate-test-widgets >> - visit the "Browse Test Widget" >> - everything should work fine >> >> Reproduce the problem: >> >> - log into the wookie admin interface >> - visit the Browse Test Widget >> - you will be asked to login >> >>> The weather widget (which also makes a proxied request) works fine. >> >> This remains the case. I can only assume that this indicates a >> difference in the interaction styles. The weather widget simply >> consumes an RSS feed, the twitter widgets consume a REST service. >> >> I've raised an issue at https://issues.apache.org/jira/browse/WOOKIE-283 >> >> Ross > > -- Ross Gardler (@rgardler) Programme Leader (Open Development) OpenDirective http://opendirective.com
